SharePoint RCE CVE-2026-45659 added to CISA KEV
CISA warned on Wednesday that attackers have begun exploiting a high-severity Microsoft SharePoint remote code execution vulnerability patched in May. [...]
What Happened
CISA added CVE-2026-45659-a high-severity Microsoft SharePoint Server remote code execution vulnerability-to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday. This follows reports from BleepingComputer and The Hacker News confirming active exploitation in the wild. Microsoft patched the flaw in its May 2026 security update bundle, but organizations that have not yet applied the patch are now at direct risk.
The vulnerability affects multiple versions of SharePoint Server. While Microsoft initially labeled it “important” severity, the pivot to active exploitation-confirmed by CISA’s binding operational directive (BOD 22-01)-escalates the risk profile to critical for all federal agencies and enterprises running the affected software.
Why It Matters
SharePoint is a core collaboration platform embedded in enterprise workflows-document management, intranet portals, and cross-department content sharing. A successful RCE against SharePoint can allow an attacker to execute arbitrary code in the context of the SharePoint server process, potentially gaining persistent access to sensitive corporate data, credentials, and downstream network resources.
Because SharePoint often has elevated privileges within Active Directory environments and integrates with other Microsoft services (Teams, Exchange, OneDrive), a single foothold can cascade into broader lateral movement. For organizations still running unpatched instances 30+ days after the patch dropped, the window for remediation has effectively closed-attackers are now weaponizing the vulnerability at scale.
Technical Details
CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server. The attack vector is network-based, requires low complexity, and does not require authentication. An unauthenticated attacker can send specially crafted HTTP requests to a vulnerable SharePoint server to achieve code execution.
No user interaction is required for exploitation. This makes the flaw particularly dangerous for internet-facing SharePoint deployments. The CVSSv3 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability. CISA did not provide specific indicators of compromise (IOCs) in its KEV notification, but Microsoft’s advisory notes that no workarounds exist-the fix requires applying the May 2026 security update.
Detailed analysis and proof-of-concept code have been published in our advisory page.
Immediate Risk
The risk is immediate and severe for any organization that has not patched. Based on CISA’s KEV inclusion and confirmed reports of active exploitation, security teams should assume adversaries are scanning for unpatched SharePoint servers. The vulnerability is trivial to exploit relative to its impact.
Priority actions:
- Apply the May 2026 security update to all SharePoint Server installations immediately.
- Verify patch status via
Get-SharePointProductVersionPowerShell cmdlet. - If patching is delayed, isolate internet-facing SharePoint servers behind a web application firewall (WAF) with strict rulesets.
- Audit logs for anomalous HTTP requests to SharePoint endpoints using the timeframe of the advisory.
Security Insight
This incident mirrors the pattern of CVE-2026-41091 and CVE-2026-45498-Microsoft products with “important” severity ratings that CISA later escalates to KEV after exploitation is confirmed. The common defensive blind spot here is treating severity classification as a deployment priority indicator. In practice, attackers prioritize attacking functionality (SharePoint’s web interface, Defender’s kernel access) over CVSS scores. Organizations should treat all Microsoft server-side patches with network-reachable attack surfaces as critical by default, regardless of the vendor’s initial severity label.
Further Reading
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
A critical Microsoft SharePoint vulnerability patched in January is now being exploited in attacks, the Cybersecurity and Infrastructure Security Agency (CISA) warned. [...]
Microsoft has pulled a buggy Windows 11 non-security preview update to investigate a known issue that triggers 0x80073712 errors during installation. [...]
Threat actors are evading phishing detection in campaigns targeting Microsoft accounts by abusing the no-code app-building platform Bubble to generate and host malicious web apps. [...]
Microsoft is working to address an ongoing service issue that has intermittently prevented some users from accessing their cloud-based Exchange Online mailboxes via Outlook mobile and Mac desktop clie